Comment Re:Every time XKCD 936 is Mentioned (Score 1) 549
Weirly, I was thinking about that comic entry just a couple of days ago. "It's simple math that shows that Munroe's method is better for creating stronger password" - is it, though? What about dictionary attacks? Attackers could just join 3 or 4 English words together in an attempt to brute force such passwords. This drastically reduces that kind of "passphrase"'s entropy.
Let's assume that we have a dictionary of 15,000 common English words (a very reasonable assumption (examples found from Wiktionary's frequency list in the 14,000's are: zebra, tightly, and curves), though obviously more would give us better entropy). Let us also assume worse possible situations, they know our list of words, and they know we use four together (though we securely randomly pick them). Absolute worse case in this instance would be 15,000 x 15,000 x 15,000 x 15,000 = 50,625,000,000,000,000 possible combinations. Assuming that the attacker could hash a billion passwords a second, they would have a 50% of correctly guessing the password in approximately 293 days. Raise the size of the dictionary to 20,000 (now we have words like fairest, teapot, and haircuts) with the same conditions and you're looking at 2 and a half years for a 50% chance. Munroe's method still stands.